Microsoft Releases Azure Active Directory Conditional Access Service

Microsoft's Azure Active Directory conditional access service is now generally available, according to the company.

In essence, Microsoft is signaling that the ability to set up multifactor authentication challenges to users of various Azure AD-managed applications is now ready for commercial use in production environments. This capability was at the preview stage last month for Exchange Online and SharePoint Online users. A multifactor challenge is a secondary identity challenge beyond a password, such as a response to an instant message or automated phone call.

Applications or services that use so-called "modern authentication" can work with this multifactor authentication security-challenge scheme. By modern authentication, Microsoft means that the application or service is capable of using the Active Directory Authentication Library to support user sign-ins. Microsoft maintains a list of those applications in this article.

Examples of applications and services that are supported using the new Azure AD conditional access approach include some Office 365 services (Exchange, SharePoint and Yammer) and Dynamics CRM. Federated and single sign-on apps in the Azure AD application gallery also are supported. Premises-based apps are supported if they are managed using Azure AD or the Azure Application Proxy service.

IT pros can set policies using Azure AD conditional access. Those policies "can be based on device health, MFA, location and detected risk," according to Microsoft's announcement. Various actions can be enforced. Organizations have the option to compel multifactor authentication before granting application access. Alternatively, they can set conditions, such as requiring multifactor authentication only when at work. It's also possible to block access when the user isn't at work.

To use Azure AD conditional access, Microsoft is requiring the purchase of Azure AD Premium subscriptions with per-user licensing. If a user tries to use Azure AD conditional access but isn't licensed to use it, Microsoft reports that information in an "unlicensed usage report."